January 2021: Azure IaC with Terraform by Jonas Wanninger

Transcript

1. MS Azure Zürich User Group IAC Episode 3 Terraform Strikes

   Back! Jonas Wanninger

2. Jonas Wanninger Consultant and Cloud Architect • Azure (Automation, Architecture

   and Security) • Development (.NET, PowerShell, SQL) • Microsoft SQL Server • Microsoft Certified Trainer https://www.linkedin.com/in/jonas-wanninger-0a4833139/

3. Terraform Strikes Back?! VS

4. Why is IaC cool? Provides consistency across all deployments and

   stages Version control Faster deployments and recovery Just in time deployments

5. First things First: Terraform Overview • Company: Hashicorp • Open

   Source • based on Azure SDK for GO! • Cloud vendor independent

6. Terraform Cloud Consistent and reliable deployment environment Shared state and

   secret data Approving changes to infrastructure, A private registry for modules Terraform Enterprise is the Self Hosted version of the Terraform Cloud

7. resource "azurerm_resource_group" "rg" { name = "myTFResourceGroup" location = "westus2"

   } HCL Introduction <BLOCK TYPE> "<BLOCK LABEL>" "<BLOCK LABEL>" { # Block body <IDENTIFIER> = <EXPRESSION> # Argument } Overall Syntax Example

8. First things First: Terraform Workflow Write Code Init Terraform Validate

   Plan Apply Get Happy!

9. DEMO

10. Terraform files terraform.tfstate terraform.tfvars main.tf

11. Advanced Terraform Topics: The Statefile Terraform always keeps track of

    your infrastrucuture Contains sensitive data in clear text Stored locally Not great for working in teams Shows your entire cloud infrastructure Including security issues ;)

12. Advanced Terraform Topics: The Statefile • Remote Backend are the

    solution e.g Azure Blob Storage • Encrypted • Locking mechanism state.tfstate Authenticate to storage account (e.g with SP or MSI) Gets decrypted while Terraform works with it On the Storage Accounts its encrypted again.

13. Advanced Terraform Topics: Keeping Your Secrets

14. Advanced Terraform Topics: Keeping Your Secrets

15. Advanced Terraform Topics: Keeping Your Secrets

16. Advanced Terraform Topics: Keeping Your Secrets

17. Advanced Terraform Topics: Keeping Your Secrets • Tool Recommendation •

    GitHub: mozilla / sops • Encrypts and decrypts variable files on the fly • Encryption Keys can be kept in an Azure Key Vault • Encrypted Terraform variable file can be checked in Version Control Pull Code incl. encrypted variables files from source control Decrypt variables file Terraform deployment Delete files from deployment server

18. Advanced Terraform Topics: Dependency Graph Terraform plan •Create Dependency Graph

    •Can be saved Terraform apply •Traverses dependency graph Depends On •Dependencies can be manually specified but that's not necessary

19. When to Use Terraform When to Use ARM? – Speed

    ARM Templates o directly talk to the ressource manager o Can parallelize work Terraform o In most cases slower o No parallelism, just for depdendency traversal

20. When to Use Terraform When to Use ARM? - Features

    ARM Templates o Always has the latest Azure features (previews) o Lacks Code management fatures and modularization o Manual dependency management o Especially annoying since you sometimes run into limitations e.g V-NET Terraform o Depends on the Azure SDK for GO! o More features towards code modularization and dynamic code functions o Automatic dependency management o No history tracking in Azure

21. When to Use Terraform When to Use ARM? – Use

    Cases Use Case Go With Need newest features? ARM Deployment times are critical? ARM Infrastructure is quite simple? ARM Infrastructure is complex? Terraform Hybrid Cloud capablitiy is important? Terraform

22. Contact: [email protected] Thank you for attending! Stay Healthy!